Public Bill Committee

[Mr Gary Streeter in the Chair]
Written evidence to be reported to the House
PF 75 Lancashire Clamping Co Ltd
PF 76 The Football Association
PF 77 Association of Managers in Education
PF 78 Northern Ireland Office of the Commissioner for Children and Young People
PF 79 A member of the public
PF 80 No CCTV
PF 81 Antony and Fiona Edwards-Stuart
PF 82 England and Wales Cricket Board
PF 83 Mrs S J Lyth
PF 84 Wandsworth Borough Council
PF 85 Independent Police Complaints Commission
PF 86 Amateur Swimming Association

Gary Streeter: Before we continue our line-by-line consideration of the Bill, I wish to remind members of the Committee that the Leader of the House has asked for any comments or suggestions from Members on the Public Reading stage pilot to be sent to his office no later than 24 May. I hope that you will all take the opportunity to submit your views on this most important new venture.

Clause 104

Lynne Featherstone: I beg to move amendment 223, in clause104,page82, line14,after ‘of’ insert—
‘, and sections (Establishment and constitution of DBS) to (Transfer schemes in connection with orders under section (Transfer of functions to DBS and dissolution of ISA)) and Schedule (Disclosure and Barring Service) in,’.

Gary Streeter: With this it will be convenient to discuss the following:
Government new clause 19—Establishment and constitution of DBS.
Government new clause 20—Transfer of functions to DBS and dissolution of ISA.
Government new clause 21—Orders under section (Transfer of functions to DBS and dissolution of ISA): supplementary.
Government new clause 22—Transfer schemes in connection with orders under section (Transfer of functions to DBS and dissolution of ISA).
Government new schedule 2—Disclosure and Barring Service.
Government amendment 241

Lynne Featherstone: Good morning on this, our last day in Committee. New clauses 19 to 22 and new schedule 2 put into effect our intention to bring the current functions of the Criminal Records Bureau and the Independent Safeguarding Authority together in one new body, to be known as the disclosure and barring service. It will be responsible for the barring regime and the disclosure of criminal records and is in line with the Government’s review of the vetting and barring scheme, which recommended that a single body be formed to undertake those duties. The National Society for the Prevention of Cruelty to Children supports the merger of the CRB and the ISA, and says that it should make the vetting and disclosure system more efficient and improve flows of information about individuals who may pose a risk to children and vulnerable adults. It is logical and sensible.
As a result of establishing a new non-departmental body rather than a new Home Office agency, decisions about barring individuals from working in regulated activity will continue to be taken independently of Ministers, which is as it should be. The new clauses and the new schedule would provide for the establishment of the disclosure and barring service as a new body corporate and for the dissolution of the Independent Safeguarding Authority. They would further provide for the transfer to the disclosure and barring service of the functions of the Independent Safeguarding Authority and the Criminal Records Bureau.
Provision is also made for the transfer of the staff of the two existing organisations, as well as their property, rights and liabilities. The TUPE regulations will apply to staff transfers, and the terms of the transfer will be set out more fully in a staff transfer scheme. It is our intention that both the existing sites for the Independent Safeguarding Authority and Criminal Records Bureau in Darlington and Liverpool will remain in use and retain their current functions. The new disclosure and barring service will bring together into the one body the important linked functions relating to criminal records and public protection. It will maintain the independence of the barring regime and provide the freedom to manage and deliver the overall service.
Amendments 223 and 241 would make consequential amendments to the clause, and provide for the extension of certain provisions under part 5 of the Bill to the Crown dependencies and the long title. Bringing together the Independent Safeguarding Authority and the Criminal Records Bureau in such a way is a logical step forward. The new disclosure and barring service will result in a more efficient and effective service to employees and employers, as well as volunteers and voluntary bodies. On that basis, I commend the amendments to the Committee.

Diana Johnson: Good morning, Mr Streeter and members of the Committee. As we said at the beginning of our sitting on Thursday, the major structural change creating the disclosure and barring service was set out in the review on vetting and barring that the Government carried out earlier this year. They said that they were minded to pursue that option. However, the Minister quoted from the NSPCC briefing on this group of amendments, in which it says:
“Since the launch of the report in February, Government has not said anything publicly about what the merger between the ISA and CRB would involve. The legislative changes required to underpin a merger were not contained within the Protection of Freedom's Bill when it was first introduced.”
It is extremely regrettable that such a major, albeit welcome, change to the structure has been introduced in a rushed way at the end of the Committee’s deliberations.
I am disappointed that we have not had an opportunity, as we did on all the other clauses, to consider the change informed by the excellent research produced by the House of Commons Library in its research papers, and the explanatory notes that are produced to help us scrutinise Bills more effectively. I also understand that no impact assessment has been produced on the change, which is very disappointing. The Committee is obviously at a bit of a disadvantage in trying to give it effective scrutiny.
We spent most of one whole day looking at vetting and barring without really having an opportunity to consider the effects of the new structure that will be created and to think through what that will mean for some of the earlier clauses that we debated at length, which is disappointing. We would welcome a response from the Minister on why the proposal has been tucked in right at the end of the Bill. If the Government were minded to take such a course of action in February, they could have indicated that to the Committee, which would have given us the opportunity to raise our concerns as we went through the Bill.
I am also concerned that we have received a great deal of written evidence from interested parties and had the Public Reading stage of the Bill—it has been helpful to look at all those remarks—but, of course, no comments have been made on the group of amendments, either in written submissions or in the Public Reading stage, which is disappointing.
I have several questions for the Minister on the group of amendments, because of the lack of information before they were tabled. Government amendment 223 seems to be consequential on the creation of the DBS. Will she explain exactly what the amendment will do? Does it restrict the amount of the Bill that will apply to the Channel Islands and the Isle of Man? Do the ISA and the CRB currently cover the Channel Islands and the Isle of Man, and do their Administrations help pay the cost of the ISA and the CRB at the moment? Do the same vetting and barring arrangements apply to the Channel Islands and the Isle of Man?
Government new clause 19 will create the DBS. The proposal was first put forward in the Home Office’s review of the vetting and barring scheme, and it was flagged by the Government as a way forward that they were minded to accept. I have already set out that it is difficult effectively to scrutinise the proposal, given the late tabling of the new clauses, the new schedule and the amendments, but will the Minister explain in more detail the current legal entity of the ISA, which I understand is a non-departmental public body, and the CRB, which is an executive agency? Will the Minister explain why it is appropriate for the new body to be a body corporate, and what that means for the structure that will be created? May we have further information about why it will not just be a non-departmental public body or an executive agency?
The body that is to be created will be a body corporate, so is it possible that its creation might be the first stage in the privatisation of the DBS? Down the line, might the service be outsourced to the private sector? What consultation took place with employees and trade unions before the amendments were tabled a week ago to abolish the CRB and the ISA? Given that no impact assessment has been released and that there was no discussion of the proposal in the oral evidence or written submissions, can the Minister confirm that no jobs will be lost with the creation of the DBS? Can she also confirm whether there has been any formal consultation with the trade unions that represent employees at the ISA and the CRB?
There has not been an impact assessment, so can the Minister set out the actual costs of merging the two bodies? What are the IT costs? What, if any, redundancy costs has the Minister identified? On property and relocation, the Minister said in her opening remarks that both sites in Darlington and Liverpool would remain open, so there is no obvious reduction in costs from moving to a single site. Will the Minister explain whether there will be any cost savings in the merger? How will the process be streamlined if we are to have two sites running in Darlington and Liverpool? Will there be one management system for the DBS, and how does the Minister envisage that that will operate?
What does the Minister think the cost savings will be once the merger is complete? Has the ISA been consulted on this change? Why were the ISA and CRB not invited by the Minister to give evidence to the Committee, because it was clearly in the mind of the Minister that at some stage the proposal would be brought before the Committee to consider?
When does the Minister expect to have the DBS up and running, and can she explain the position on Northern Ireland? I understand that the CRB’s equivalent—Access Northern Ireland—will stay. Will the DBS system operate alongside Access Northern Ireland, which will keep its separate system?
Government new clause 20 gives the Secretary of State powers to transfer any functions of the ISA to the DBS. The Bill allows for the gradual transfer of functions. For how long will the two bodies run in parallel? Will the ISA and the CRB run alongside the DBS? When the security industry body was set up a few years ago, there were many problems at the beginning with delays in taking information forward and in checking people who provided security at nightclubs and pubs. I am concerned that there may be a similar problem when this new body is set up. One way of dealing with that would be to run the two schemes in parallel.
The NSPCC’s submission said that it was worried about delays and confusion arising from the handover. What measures has the Minister put in place to ensure an orderly transition? None of us wants to see delays and missed information.
On IT systems, what measures have been taken to develop a single system? What problems have been identified and envisaged? How long does the Minister think it will take to set up a single IT system, and what is the expected cost of that system?
Will functions currently exercised by the Secretary of State be transferred to the DBS? The Secretary of State has powers to decide the level of fees, and we have seen in the written evidence a great deal of concern from the voluntary sector about additional costs that it may incur because of fees. The trade unions have also expressed worries about poorly paid employees being asked to meet the costs of additional charges. Has the Minister given that any thought, and will the Secretary of State retain the power to levy fees? The cost of the merger might be high; will it be met by those who require CRB checks? Will there be an increase in the fees that they are asked to pay to meet such costs?
The Secretary of State must interact with the police when deciding what information to disclose, as we have heard throughout our discussions on vetting and barring. Have the police been consulted on the new provision? How will the Minister ensure that the DBS does not inundate the police with requests to ease its own investigative work load?
Government new clause 21 addresses the Secretary of State’s power to make orders under clause 20. Will the Minister set out the limits of that power under subsection (1)? What if an order contradicts other primary legislation? Will a further resolution of both Houses be required under subsection (2) before any powers are handed over to the DBS?
Can the Minister give an example of one of the hybrid instruments to which subsection (4) refers? When would such an instrument be used? Subsection (5) refers to Acts passed by the Northern Ireland Assembly or the Welsh Assembly. What if such Acts are not compatible with the responsibility for the DBS to remain in Westminster? Can any of the devolved bodies usurp its role?
Government new clause 22 allows for the transfer of property and staff to the DBS. The DBS will be a separate legal entity, so can the Minister confirm whether that will mean that property will be transferred away from the Government? Will the DBS be able to dispose of that property? Will all staff be transferred? The clause allows for a fund to compensate any person whose interests are adversely affected. Can she tell us how much is in that fund and what assessment has been made of the likely demands on it? Can she give an example of a typical payout?
Will the Minister say a bit more about Government amendment 241 and its effect? New schedule 2 sets out in more detail the procedures for establishing the DBS. Will she explain in what circumstances under paragraph 17(1)(c) the DBS might need to borrow money? In addition, paragraph 17(2)(a) refers to “gifts of money”. Will she say why that provision is included?
Will the Minister set out clearly how the body will be different from the ISA and the CRB, so that we are clear about what is being established? Finally, what will be the effect of the measure on the employment of staff? What is the key issue when members of staff move to the new body? The Minister has indicated that TUPE will apply; will there be any changes to employment status that we should be aware of?
All those questions are technical and detailed, which is a result of the Government’s failure to set out the measure clearly when the Bill was introduced. Much of the information could have been provided in a written form, either in an impact assessment, as I have said, or in explanatory notes, which would have assisted Committee members in properly considering the Government’s new clauses.

Jim Shannon: I apologise for not being here at the beginning of the sitting. It is nice to see the Minister in her place. I am not sure whether she was in the car behind me—it took us an hour to get here from the station. She was beeping the horn—I am not sure whether to make the taxi go faster, but it certainly spurred us all on to make sure that we got here more quickly than we might have.
I shall make a couple of comments on Government new clauses 19 to 22. The hon. Member for Kingston upon Hull North has spoken about Northern Ireland and I want to discuss that aspect and ask the Minister a few questions. I am grateful for the opportunity to speak about the new clauses, and the schedule in particular.
It seems a most sensible idea to combine the functions of the CRB and the ISA into a disclosure and barring service. The CRB and the ISA currently work closely together, with the CRB providing a back office function for the ISA on flow of conviction data. The CRB provides a disclosure service for England and Wales. In Northern Ireland that function is provided by AccessNI. The new body will provide a barring service only for Northern Ireland, notwithstanding that there are, and will need to be, close links between both disclosure bodies. That was hinted at by the hon. Member for Kingston upon Hull North. As the Minister indicated in the last sitting, this co-operation is in everyone’s interest, given the level of population movement across the UK, which is greater today with the movement of people looking for jobs.
I want to ask the Minister a number of questions about this, so I ask for her patience. I am happy if her officials want to write to me on these issues, if that is easier for her. First, will she put on record the expectation that there should continue to be a Northern Ireland board member on the new body, who will bring their expertise on Northern Ireland to the table? I am keen to ensure that that happens, because it will add to the process and give some collective responsibility to those board members in how the process works.
Does the Minister agree that there needs to be close collaboration with the Northern Ireland Executive in the development of DBS arrangements? I hope she would acknowledge that the Northern Ireland Administration have provided a large input into developments, which has facilitated the ISA’s operation in Northern Ireland to date. I want to put on record my thanks to the Minister for the co-operation that there has been with the Northern Ireland Assembly to ensure that this process moves smoothly. That has been welcomed by many, both by those who represent Northern Ireland in this House and by those in the Northern Ireland Assembly, who have been directly involved in the process.
Secondly, how will the continuous updating service be delivered in Northern Ireland? Will it be contracted out to the DBS? I imagine that it would make sense to link existing infrastructure and systems. Does the Minister agree that both the ISA currently, and the DBS as it comes into operation, will gather valuable information across England, Wales and Northern Ireland on the types of referrals and the nature of barring decisions? That would be invaluable in providing evidence of risk by role, sector and region. I ask for her assurance that that information will be publicly available in annual reports and used to develop and inform arrangements by evidencing risk. I would also like some idea of the trends in Northern Ireland on referrals and barring. I am not sure whether that information is available today. If it is not, it would be helpful if it could be furnished to me at a later date.
I am also glad to note that the non-departmental public body will have the usual arm’s length relationship with the Government. One of the issues in the past was barring decisions being overseen or agreed by Ministers. I hope that the Minister endorses the need for the operational independence of the service. Again, I seek her response to that.
Finally, will the Minister give me some information on the cost of checks provided by the DBS? I want the Minister’s assurance that checks for volunteers will continue to be free for both applications and continuous updating.

Jenny Chapman: First, I echo the remarks of my hon. Friend the Member for Kingston upon Hull North about how late in the day these amendments have come. When we were considering some of our earlier points, we did not have the opportunity to think through what the consequences of the amendments might be. My concern is not based on the fact that the ISA is in Darlington and that there may be a consequence to employment in my constituency. I can assure everyone that that has not entered my head once during these deliberations.
My concern is about the management of the ISA. When Sir Roger Singleton and one of the managers of the ISA gave evidence, I was struck by the manager’s in-depth knowledge of how the ISA operates. She had a careful understanding of the decision-making process, the appeals procedure and the investigatory function of the ISA. Although the proposal is sensible, one of the potential pitfalls of the merger may be that some of the management expertise at the ISA is lost, if certain management functions are merged too quickly without fully thinking the process through with the CRB. Although the two bodies sometimes deal with similar individuals, and they have a common purpose, they fulfil different functions. It would be very damaging if skills at the top of the ISA were lost, so I want reassurance that the Minister will take that possibility on board and make sure that it does not happen when the two organisations merge.

Lynne Featherstone: There is an extensive list of points to come back to. I will answer the hon. Member for Darlington first. It is our ambition to retain and capture the expertise built up in the very special function of making barring decisions, which demands such expert knowledge. That is our intention in joining together the two bodies. The purpose is to get the absolute best and make it better and more efficient.
The hon. Members for Kingston upon Hull North and for Darlington both remarked on the tabling of the amendments. I had hoped that by offering the extra facility of a briefing last Thursday we would have been able to answer at least some of the questions asked by the hon. Member for Kingston upon Hull North.

Diana Johnson: It was remiss of me not to thank the Minister and her officials for the briefing on Thursday afternoon. I appreciated it very much, but I still think that it is rather unfortunate that it was at the tail end of the Bill and that all the written submissions and the evidence sessions took place without our knowing what the Government were planning to bring forward. That was my point.

Lynne Featherstone: I understand that, but the provision was always in our view and it was a recommendation in the vetting and barring scheme review. I know of the hon. Lady’s concerns about the tabling of the amendments coming after the majority of our debates. However, the NSPCC says that the merger of the CRB and ISA should not have any implications for the elements of the disclosure and barring processes that are set out in legislation. The provision is essentially about the organisation of the functions rather than their substance. We signalled in our remodelling review that we would bring together functions of the ISA and the CRB, but it was not possible to include the necessary provisions in the Bill when it was introduced.
We have brought forward the new clauses as quickly as we could, and discussing them at this point does not alter anything that was said when we were considering the provisions in part 5. That is an important point. If something of importance was affecting what we are legislating for, that would perhaps be an issue, but although the provision is late, the organisational functions, which are supported on all sides as logical and sensible, remain logical and, indeed, sensible.
The hon. Lady asked about the Channel Islands and the Isle of Man. The clause enables the provisions in chapters 1 and 2 of part 5 of the Bill, which are mainly provisions to reform the vetting and barring scheme and the criminal records regime, to be extended to the Channel Islands and the Isle of Man by Order in Council. The decision to extend those provisions is a matter for the islands themselves. The provisions in part 5 of the Police Act 1997 have already been extended with appropriate modifications to Jersey, Guernsey and the Isle of Man.
The hon. Lady also asked about the current status of those islands. In relation to the vetting and barring scheme, the clause follows the example in subsection 66(4) of the Safeguarding Vulnerable Groups Act 2006, which enables the Act to be similarly extended, although the power has not yet been exercised. I hope that that answers her queries about the Channel Islands.

Diana Johnson: Do the islands pay for the ISA and the CRB? Are they actually putting money into the pot?

Lynne Featherstone: I will come back to the hon. Lady on that point. I do not know the answer off the top of my head.
The new organisation would be a body corporate, as the ISA is currently. There will be no change in its form. Under paragraph 6 of new schedule 2, we do not allow the outsourcing of core functions of the ISA or the new body.
The hon. Lady asked about impact assessments. The published impact assessment provides assessment of the policy proposals as they stood at introduction. The impact assessment is currently being revised and it will be submitted to the regulatory policy committee for scrutiny in due course. The revised impact assessment will take account of the Government’s amendments, including the ISA-CRB merger. It will be published in time for introduction in the Lords, so it will receive full scrutiny there, although I accept that in the hon. Lady’s opinion that will not be ideal.

Diana Johnson: So elected Members of Parliament will not have the opportunity to consider the impact assessment. Is there any way it could be ready to be examined on Report on the Floor of the House? At least elected Members would then have an opportunity to look at the information behind the decisions.

Lynne Featherstone: I will look at that point for the hon. Lady. It obviously depends on the timing of Report. If the Bill were to come back tomorrow, the answer would probably be no, but if there is an extended period we can consider the possibility of bringing the process forward.
The hon. Lady asked why there would be an NDPB. The answer is so that the functions can be taken at arm’s length; it is crucial that there be no influence by Ministers in the decision-making powers of the ISA and that there is absolute separation.
The hon. Lady asked several questions about staff and their representatives. There will be full consultation with staff in both organisations. They will be engaged and kept informed as work progresses to implement the DBS. The Home Office and other Departments will work closely and collaboratively with the chief executives and senior management teams of both the CRB and the ISA, as well as with employee representatives to ensure that there is active engagement and that information and messages are shared.
As I said, TUPE will apply to staff at the CRB and the ISA as part of the staff transfer scheme. As for whether staff will be transferring to the new organisation, we will be reviewing the structure of the senior management team, but other staff are expected to transfer to the new body. The terms and conditions of staff transfers from the CRB and the ISA to the new organisation will be progressed in accordance with the Cabinet Office statement of practice. Transferred staff will become employees of the DBS, which, as the new employer, will be bound by the contracts of employment as they existed prior to the transfer. Continuity of service will be recognised.
For more general information, CRB employees are currently civil servants and they will transfer on the terms and conditions in place immediately prior to the transfer. They will no longer be civil servants, but public servants. In the instance of questions being asked by staff about whether they will have to reapply for their own jobs and how employees from the CRB and the ISA will be appointed to posts within the new organisation, for the vast majority of posts there will be a direct crossover between roles in the existing organisation and the new organisation. We want to make the process as simple and as straightforward as possible. In cases when a direct crossover might not prove possible, there will be a transparent and fair process to link existing roles with comparable new roles.
I think that the hon. Lady raised an issue about pensions. [Interruption.] Perhaps not. For the avoidance of doubt, our intention is to enable the new organisation to be part of the principal civil service pension scheme. Employees of the CRB and the ISA would transfer to the new organisation with their existing pension rights. However, that requires an application to the scheme, which will be submitted and progressed in accordance with Cabinet Office and Her Majesty’s Treasury guidelines and procedures.
The hon. Lady asked about the limits of the order. The Secretary of State is limited in her order-making power under new clause 21. The power may be used only to make orders to transfer ISA functions to the DBS, so it has a very narrow focus. Under new clause 20, orders may transfer functions of the Secretary of State only in relation to part 5 of the Police Act 1997, the Safeguarding Vulnerable Groups Act 2006 and the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007. The hon. Lady asked whether there might be a conflict between an order and parts of the legislation; there will not be such a conflict.
The new disclosure and barring service will carry out all the barring functions for both England and Wales and for Northern Ireland. The DBS will also carry out what are currently CRB functions, and Access Northern Ireland will continue to carry out its functions. That answers the hon. Lady’s point about Northern Ireland, but I will refer again to Northern Ireland when I respond to the hon. Member for Strangford.
When the CRB and the ISA are merged, there will be one management team for the new organisation. That will streamline the decision-making process, as there will be only one decision-making management team for disclosure and barring.
The hon. Member for Kingston upon Hull North asked about fees. No decisions have yet been taken about the level of fees, but it will be kept under review. As at present, fees will continue to be based on cost recovery for the scheme as a whole. We are working on that as we speak.

Diana Johnson: I would be grateful if the Minister can confirm whether the Secretary of State will retain that matter for herself or whether the DBS will decide what rate of fees to charge.

Lynne Featherstone: It is a matter that the Secretary of State will keep for herself.
The hon. Lady referred to hybrid instruments. In the extremely unlikely case that an argument is made about functions in the 2006 Act or in the 1997 Act solely affecting local interests, which might lead to the consideration of whether an order is hybrid—it is in that circumstance that the question might arise—we do not envisage that happening; the provision is included solely for the avoidance of doubt, but it would be a very rare circumstance.
The hon. Lady asked about borrowing and gifts. Many of the provisions in new schedule 2, for example those relating to the borrowing of money or the acceptance of gifts, are standard for non-departmental public bodies. Indeed, similar provisions were made for the ISA in the Safeguarding Vulnerable Groups Act, so the same rules will be carried forward to the new body.
The hon. Lady asked whether the property is held by the Government; who owns it and who can sell it? The CRB currently occupies property provided under a public-private partnership agreement, which is therefore not Government property. When the CRB is merged into the DBS, the new body can occupy property that it leases or rents as a non-departmental public body.
On the transfer of the functions of the Secretary of State, some of them will remain with her, including any legislation-making power. That covers the setting of fees, about which the hon. Lady asked. Fees are currently prescribed in negative resolution regulations, and that will remain the case.
The hon. Lady asked about IT systems. The IT systems operated by the ISA and the CRB are currently being assessed with a view to their moving to a single system. We expect any such system to be subject to a key test, and there are plans to do that in late summer. The same point relates to contract expiry dates, the formation of the new body and allowing the new body to let new contracts rather than trying to manage different contracts in each bit—if the hon. Lady understands what I mean.
On the hon. Lady’s last query, the Channel Islands and the Isle of Man do not pay for the ISA as the 2006 Act does not extend to them. However, they pay fees for CRB applications, because part 5 of the 1997 Act has been extended to them. Fees for CRB applications are set on a cost-recovery basis. Will the hon. Lady remind me which points I have omitted from my response?

Diana Johnson: One of the big problems is that it is difficult to get figures from the Minister on what cost savings may occur once the merger has taken place. Is she expecting any savings? Does she have any idea about the actual cost of the merger and what savings might result?
On the IT system, does the Minister have a budget for setting up the new system that would merge the two systems that operate currently? It would be helpful to have some hard figures on what the change will cost in the light of the continuing refrain from the Government that they do not have any money. I am interested to know where the money is coming from for these proposals. Does the Minister think there will be some savings?

Lynne Featherstone: I thank the hon. Lady for reminding me of the two points that I forgot. I will try to come back to her on the figures; if I cannot do it in Committee, I undertake to write to her as soon as we have them. The two bodies are coming together because it is a logical conclusion of all the things that we have done to make a better and more streamlined system. Together, they will retain expertise—the hon. Member for Darlington’s point—and make a better single body, able to deal in a more streamlined way with employers, employees, volunteers and voluntary organisations. I hope to come back to the hon. Member for Kingston upon Hull North, but if I cannot, I will write to her.
The hon. Member for Strangford asked a number of questions about the provisions, and I will address them in turn. First, he asked whether someone with experience of safeguarding issues in Northern Ireland would be appointed as a member of the disclosure and barring service. I am pleased to acknowledge the helpful role played by both Access NI and the Northern Ireland Executive in developing the provisions in part 5 of the Bill and applying them to Northern Ireland. New schedule 2 provides for consultation with the Northern Ireland Administration on membership of the new disclosure and barring service. We will be happy to ensure that we include a suitable member to represent the particular circumstances of Northern Ireland. [Interruption.] I did not hear what the hon. Member for Strangford said.
Secondly, the hon. Gentleman asked how the continuous updating service will be delivered in Northern Ireland. For our part, we would be content for the disclosure and barring service to deliver the continuous updating service in Northern Ireland too. We are currently discussing the details of that, including the costs, with officials in the Northern Ireland Administration.
Thirdly, the hon. Gentleman asked about the provision of barring information. I assure him that appropriate arrangements will be in place, both for sharing relevant information and for ensuring that appropriate barring information is available in respect of Northern Ireland. On operational independence, which I have covered to some extent already, I assure the hon. Gentleman that the new disclosure and barring service will retain full independence in decision making. He will have noted that new schedule 2 enables the Secretary of State to give directions to the new body in relation to the exercise of its disclosure functions, under part 5 of the Police Act 1997. Those functions are currently the responsibility of the CRB, although not in respect of the core role of decision making on barring, which is a separate entity.
Finally, the hon. Gentleman asked about the cost of criminal record checks provided by the new disclosure and barring service. The hon. Member for Kingston upon Hull North raised the issue as well. Criminal record checks will continue to be issued free of charge to volunteers. As it was, it continues to be. No final decision has been reached on how the costs of the continuing updating service will be apportioned. We bear in mind the needs of volunteers, and the need for volunteers to come forward.
On setting up the organisation, I have only brief information to give the hon. Lady. There will be no change to sites or operational infrastructure as a result of setting up the DBS. We expect the cost to be minimal. The IT contracts of both the ISA and the CRB are due to be renewed in any event, as I have tried to explain, so the merger will not add to IT costs. The contracts are up for termination anyway, so a new contract will be let as the existing ones finish in the near future.

Diana Johnson: Is the Minister expecting to make any savings? I understand that the rationale is to streamline and to bring the two organisations together to provide a more effective service. We are retaining two sites, however, so it sounds as though there will be minimal savings.

Lynne Featherstone: The hon. Lady is right that there will be minimal costs. We have not, however, assessed savings, because bringing together the two functions is more about making the process work than about what it costs or saves. However, we always have our eye on costs, given, as the hon. Lady has said, the deficit that we were left.

Amendment 223 agreed to.

Clause 104, as amended, ordered to stand part of the Bill.

Clause 105

Amendments made: 224, in clause105,page82,line23, leave out paragraph (e) and insert—
‘(e) Chapter 1 of Part 5 (excluding section (Corresponding amendments in relation to Northern Ireland) and Schedule (Safeguarding of vulnerable groups: Northern Ireland)),
(ea) Chapter 2 of Part 5 (excluding section (Out of date references to certificates of criminal records)),
(eb) Chapter 3 of Part 5,’.
Amendment 225, in clause105,page82,line25,leave out ‘subsection’ and insert “subsections (1A), (2), (4) and’.
Amendment 226, in clause105,page82,line26,leave out ‘subsection’ and insert “subsections (2), (4) and’.
Amendment 227, in clause105,page82,line28,at end insert—
‘(1A) The following provisions extend to England and Wales and Scotland only—
(a) paragraph 72A(a) of Schedule 7, and
(b) any provision which extends to England and Wales and Scotland only by virtue of subsection (5) or (6).’.
Amendment 228, in clause105,page82,line29,leave out from beginning to ‘to’ and insert ‘The following provisions extend’.
Amendment 229, in clause105,page82,line29,after ‘only’ insert ‘—
(a) Part 2 of Schedule1,
(b) sections (Establishment and constitution of DBS) to (Transfer schemes in connection with orders under section (Transfer of functions to DBS and dissolution of ISA)) and Schedule (Disclosure and Barring Service) (excluding paragraph 5(3) of that Schedule),
(c) in Part 5 of Schedules7 and 8, the amendments and repeals in respect of the Police Act 1997 and paragraph 14(7)(c) of Schedule 9 to the Safeguarding Vulnerable Groups Act 2006, and
(d) any provision which extends to England and Wales and Northern Ireland only by virtue of subsection (6).’.
Amendment 230, in clause105,page82,line30,leave out from beginning to ‘to’ and insert ‘The following provisions extend’.
Amendment 231, in clause105,page82,line30,after ‘only’ insert ‘—
(a) Parts 4 and 5 of Schedule1, and
(b) any provision which extends to Scotland only by virtue of subsection (6).’.
Amendment 232, in clause105,page82,line31,leave out from beginning to ‘to’ and insert ‘The following provisions extend’.
Amendment 233, in clause105,page82,line31,after ‘only’ insert ‘—
(a) Part 6 of Schedule1,
(b) section 62 and Schedule 6,
(c) section (Corresponding amendments in relation to Northern Ireland) and Schedule (Safeguarding of vulnerable groups: Northern Ireland),
(d) in Part 5 of Schedules 7 and8, the amendments, repeals and revocations in respect of—
(i) the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (S.I. 2007/1351 (N.I.11)) and any order made under that Order,
(ii) Part 3 of Schedule 5 to the Health Care and Associated Professions (Miscellaneous Amendments and Practitioner Psychologists) Order 2009 (S.I. 2009/1182), and
(iii) sections 90 and 92 of the Policing and Crime Act 2009, and
(e) any provision which extends to Northern Ireland only by virtue of subsection (6).’.
Amendment 234, in clause105,page83,line1,at end insert—
‘(da) section (Out of date references to certificates of criminal records),
(db) paragraph 5(3) of Schedule (Disclosure and Barring Service),’.—(James Brokenshire.)

Clause 105, as amended, ordered to stand part of the Bill.

Clause 106 ordered to stand part of the Bill.

Clause 107

Question proposed, That the clause stand part of the Bill.

Clive Efford: The Government might want to consider at a later stage altering the Bill’s title to the protection of some freedoms Bill, or the give a little, take a little freedoms Bill. Our deliberations on all the clauses have demonstrated that there are consequences to these decisions. It is easy to write headline-grabbing leaflets on protecting freedoms, innocent people, children in schools and biometric information, but when we get down to the nitty-gritty, legislating has consequences.
We had a long debate on the retention of DNA and the evidence supporting six years and three years. We proved that retention for three years is justified, but there was no unequivocal evidence to prove whether six years is more desirable. We argued at that time that the introduction of a six-year period would allow us to obtain the empirical information that we needed to make a decision about the time limit. To whose freedoms does the title of the Bill refer, because people may suffer as a consequence of our taking this giant leap of introducing a cut-off period of three years for the retention of biometric details?
Consequences have driven many of the measures today. Looking back, the previous Government did not come in with the intention of retaining innocent people’s DNA, introducing control orders, or taking biometric details from children in schools. However, the consequences of events and public opinion forces certain decisions to be taken. As the years go by, I am sure that there will be events that cause the coalition Government to reconsider some of their decisions.
In one debate, we discussed the freedom of schoolchildren as young as three to defy their parents. There will certainly be a freedom for three-year-olds, but I am not sure that parents see that as a freedom, because the Bill will say to them that their three-year-old may defy them over that child’s biometric details. That is an interesting consequence of a freedom, and it calls into question the title of the Bill—whose freedom will it protect?—because we want to protect the freedom of parents to be parents, and not to interfere in such a way.
We have discovered that the protection of freedoms is limited in relation to CCTV, because only a small fraction of CCTV cameras are covered by the Bill. For all that we have heard the headline-grabbing statements about the intrusion of CCTV into people’s private lives and the extent of surveillance of people by CCTV, when we got down to the detail we found that the Bill covers very few of the CCTV cameras about which people are concerned. CCTV cameras in the hands of private organisations cause concern among the public, and not those in the hands of public organisations, which are more accountable for what they do with their information. But it is against the use of CCTV by public organisations that the Protection of Freedoms Bill seeks to provide protection.
We had a similar situation with the freedom of people to protect themselves from rogue parkers, because of the protection given to rogue clampers. I cited the example of the Cator estate in my constituency, where residents were told that they could no longer use a simple system of clamping to protect themselves from people causing great problems in their community. They are now unable to protect themselves in the way that they had done for some time without causing any of the problems that the Bill seeks to address. I know we all want to deal with problem clampers, but I wonder whether we have created a problem of rogue ticketers.

Gary Streeter: Order. The hon. Gentleman is making an excellent Third Reading speech, but I want him to confine his remarks to clause 107.

Clive Efford: It is the title that I am calling into question, as you will appreciate, Mr Streeter. I was about to draw to a conclusion, as I do not want to cause too much more embarrassment to the Government by pointing out how the Bill is not so much about the protection of freedoms as an alteration of freedoms, in giving some freedoms to some people and taking away others from others.
We also had a necessary but not earth-shattering change—the removal of the provision that allowed the holding of fraud trials without jury, which had never been brought into force.

Gary Streeter: Order. That has nothing to do with the title.

Clive Efford: Well—

Gary Streeter: Has the hon. Gentleman anything more to say about the title?

Clive Efford: Well, all I would say is that the Bill restored a freedom that had never been removed in the first place, so I suggest that the Government should reflect on the title of the Bill.

Gary Streeter: Thank you.

Question put and agreed to.

Clause 107 accordingly ordered to stand part of the Bill.

New Clause 16

‘In section 75(4) of the Data Protection Act 1998 (commencement of section 56 of that Act not to be earlier than the first day on which certain sections of the Police Act 1997 relating to certificates of criminal records are all in force) for “sections 112, 113 and 115” substitute “sections 112, 113A and 113B”.’.—(James Brokenshire.)

Brought up, read the First and Second time, and added to the Bill.

New Clause 18

‘Schedule (Safeguarding of vulnerable groups: Northern Ireland) (which makes corresponding amendments in relation to Northern Ireland about the safeguarding of vulnerable groups) has effect.’.—(James Brokenshire.)

Brought up, read the First and Second time, and added to the Bill.

New Clause 19

‘(1) There is to be a body corporate known as the Disclosure and Barring Service.
(2) In this Chapter “DBS” means the Disclosure and Barring Service.
(3) Schedule (Disclosure and Barring Service) (which makes further provision about DBS) has effect.’.—(James Brokenshire.)

Brought up, read the First and Second time, and added to the Bill.

New Clause 20

‘(1) The Secretary of State may by order transfer any function of ISA to DBS.
(2) The Secretary of State may by order transfer to DBS any function of the Secretary of State under, or in connection with—
(a) Part 5 of the Police Act 1997 (criminal records),
(b) the Safeguarding Vulnerable Groups Act 2006, or
(c) the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (S.I. 2007/1351 (N.I.11)).
(3) The Secretary of State may by order provide for the dissolution of ISA.
(4) In this section—
“function” does not include any power of the Secretary of State to make an order or regulations,
“ISA” means the Independent Safeguarding Authority.’.—(James Brokenshire.)

Brought up, read the First and Second time, and added to the Bill.

New Clause 21

‘(1) Any power to make an order under section (Transfer of functions to DBS and dissolution of ISA)—
(a) is exercisable by statutory instrument,
(b) includes power to make consequential, supplementary, incidental, transitional, transitory or saving provision,
(c) may, in particular, be exercised by amending, repealing, revoking or otherwise modifying any provision made by or under an enactment (whenever passed or made and including this Act).
(2) Subject to subsection (3), a statutory instrument containing an order under section (Transfer of functions to DBS and dissolution of ISA) is not to be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.
(3) A statutory instrument containing an order under section (Transfer of functions to DBS and dissolution of ISA) which neither amends nor repeals any provision of primary legislation is subject to annulment in pursuance of a resolution of either House of Parliament.
(4) If a draft of an instrument containing an order under section (Transfer of functions to DBS and dissolution of ISA) (alone or with other provision) would, apart from this subsection, be treated as a hybrid instrument for the purposes of the standing orders of either House of Parliament, it is to proceed in that House as if it were not a hybrid instrument.
(5) In this section—
“enactment” includes a Measure or Act of the National Assembly for Wales and Northern Ireland legislation,
“primary legislation” means—
(a) a public general Act,
(b) a Measure or Act of the National Assembly for Wales, and
(c) Northern Ireland legislation.’.—(James Brokenshire.)

Brought up, read the First and Second time, and added to the Bill.

New Clause 22

‘(1) The Secretary of State may, in connection with an order under section (Transfer of functions to DBS and dissolution of ISA), make a scheme for the transfer to DBS of property, rights or liabilities of ISA or the Secretary of State.
(2) The things that may be transferred under a transfer scheme include—
(a) property, rights and liabilities which could not otherwise be transferred,
(b) property acquired, and rights and liabilities arising, after the making of the scheme.
(3) A transfer scheme may make consequential, supplementary, incidental, transitional, transitory or saving provision and may, in particular—
(a) create rights, or impose liabilities, in relation to property or rights transferred,
(b) make provision about the continuing effect of things done by, on behalf of or in relation to the transferor in respect of anything transferred,
(c) make provision about the continuation of things (including legal proceedings) in the process of being done by, on behalf of or in relation to the transferor in respect of anything transferred,
(d) make provision for references to the transferor in an instrument or other document in respect of anything transferred to be treated as references to the transferee,
(e) make provision for the shared ownership or use of property,
(f) if the TUPE regulations do not apply in relation to the transfer, make provision which is the same or similar.
(4) A transfer scheme may provide—
(a) for modification by agreement,
(b) for modifications to have effect from the date when the original scheme came into effect.
(5) A transfer scheme may confer a discretion on the Secretary of State to pay compensation to any person whose interests are adversely affected by the scheme.
(6) A transfer scheme may be included in an order under section (Transfer of functions to DBS and dissolution of ISA) but, if not so included, must be laid before Parliament after being made.
(7) For the purposes of this section—
(a) an individual who holds employment in the civil service is to be treated as employed by virtue of a contract of employment, and
(b) the terms of the individual’s employment in the civil service are to be regarded as constituting the terms of the contract of employment.
(8) In this section—
“civil service” means the civil service of the State,
“ISA” means the Independent Safeguarding Authority,
“TUPE regulations” means the Transfer of Undertakings (Protection of Employment) Regulations 2006 (S.I. 2006/246),
references to rights and liabilities include rights and liabilities relating to a contract of employment,
references to the transfer of property include the grant of a lease.’.—(James Brokenshire.)

Brought up, read the First and Second time, and added to the Bill.

New Clause 2

‘(1) In Schedule 2 to the Data Protection Act 1998 (conditions relevant for purposes of the first principle: processing of any personal data) in paragraph 1 after “his” there is inserted “explicit”.’.—(Mr Watson.)

Brought up, and read the First time.

Tom Watson: I beg to move, That the clause be read a Second time.

Gary Streeter: With this it will be convenient to discuss the following:
New clause 3—Power of entry—
‘(1) After section 50 of the Data Protection Act 1998 insert—

“General Power of Entry and Inspection
50A Power of Commissioner to Enter and Inspect business premises
‘(1) The Commissioner may enter a data controller’s business premises and inspect—
(a) the premises,
(b) any equipment found on the premises which is used or intended to be used for the processing of personal data, and
(c) any document or other material found on the premises which may enable the Commissioner to determine whether the data controller has complied or is complying with the data protection principles,
if the inspection is reasonably required for the purpose of checking that data controller’s compliance with the data protection principles.
(2) The powers under this section do not include a power to enter or inspect any part of the premises that is used solely as a dwelling.
(3) A data controller is not required to produce or permit to be inspected any material which is exempt under Part IV of this Act.
(4) Where a document (or a copy of a document) is produced to, or inspected by, the Commissioner, he may take copies of, or make extracts from, the document.
(5) Any person who obstructs the exercise of a power conferred by this section is guilty of an offence.
(6) In this section—
(a) “inspect” in relation to equipment includes the operation or testing of that equipment.
50B Carrying out inspections
‘(1) An inspection under section 50A may be carried out at any reasonable time.
(2) The Commissioner when seeking to carry out an inspection must provide a notice in writing as follows—
(a) if the occupier of the premises is present at the time the inspection is to begin, the notice must be provided to the occupier,
(b) if the occupier of the premises is not present but a person who appears to the officer to be in charge of the premises is present, the notice must be provided to that person, and
(c) in any other case, the notice must be left in a prominent place on the premises.
(3) The notice referred to in subsection (2) must state the possible consequences of obstructing the Commissioner in the exercise of the power.”’.
New clause 4—Damages—
‘(1) In section 13(2) of the Data Protection Act 1998—
(a) leave out “if”, and
(b) leave out paragraphs (a) and (b).’.
New clause 6—Personal data—
‘(1) In section 1(1) of the Data Protection Act 1998 (basic interpretative provisions), for the definition of “personal data” substitute—
““personal data” has the same meaning as in the Data Protection Directive, but shall not be taken to mean that the information must be biographical in nature, compromise the privacy of the data subject or have the data subject as its principal focus.”.’.
New clause 10—Trade in personal information—
‘(1) In section 52 of the Data Protection Act 1998 (Reports and codes of practice to be laid before Parliament), after subsection (1) there is inserted—
“(1A) The Commissioner shall lay annually before each House of Parliament a report on the unlawful trade in confidential personal information.”.’.
New clause 11—Penalty—
‘(1) In section 60 of the Data Protection Act 1998 (Prosecutions and penalties)—
(a) in subsection (2) after “section 54A” there is inserted “, section 55”, and
(b) after subsection (2) there is inserted—
“(2A) A person guilty of an offence under section 55 shall be liable—
(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum, or to both;
(b) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine, or to both.”.
(2) Omit section 77 of the Criminal Justice and Immigration Act 2008 (Power to alter penalty for unlawfully obtaining etc. personal data).’.

Tom Watson: Let me first apologise to all members of the Committee on behalf of the Opposition Whip, who made the cardinal mistake of cajoling me into becoming a member of a Committee that is scrutinising a Bill in which I have a policy interest. I shall not detain the Committee overlong, but there are some serious issues that I think could strengthen the freedoms in the Bill, to build on the theme unusually developed by my colleague while covering the previous clause.
For the first time in my life, I regret not being a Minister today, as I do not have his excellent Bill team to assist me in making my argument. I hope that he is tolerant with me if I veer off the path a little. I thank the Clerk, who has brilliantly allowed me to speak to all my new clauses in the same sitting and has put them in very logical order.
The basket of new clauses has two main themes. The first group, new clauses 2, 3, 4 and 6, deals with a failure of regulation, whereas new clauses 10 and 11 cover new measures to deal with intrusions of privacy. The first group allows me to talk to both Opposition Front Benchers and Ministers about the weaknesses in the regulatory arrangements under the Data Protection Act. The consequences are threefold: first, people cannot be sure that their information is safe and held in a responsible way; secondly, people do not have the requisite degree of control over when and how their information is gathered and used; and thirdly, people cannot seek sufficient redress when they suffer from the misuse or loss of personal information.
I am not along in holding that view: privacy advocates in the UK and EU privacy legislators believe that the regulation and oversight of privacy in the UK is currently too weak. They believe there are fundamental weaknesses in the powers and remit of the Information Commissioner, combined with the problem of the Data Protection Act that the commissioner and his office enforce; on the latter point, the focus of dispute is the UK’s failure to ensure that the Data Protection Act is properly implemented under the EU data protection directive.
I am sorry to go on about Europe, but some valid arguments are coming from Europe. The European Commission is pursuing the UK in the European Court of Justice at the moment over its perception of our failures. The Commission requested that the UK
“strengthen the powers of its data protection authority so that it complies with the EU’s Data Protection Directive.”
The organisation, Privacy International, suggested that it
“cannot imagine another domain of public policy where the regulators’ powers and effectiveness are so weak to question the very integrity of the law.”
That is a pretty serious claim. Members of the Committee might think that Privacy International has a particular axe to grind—it does—but even so, those words are pretty stark, and I agree with them.
Almost every transaction—social or economic—now relies in some way on the use of personal information. That means that the privacy regulatory framework has to ensure there is robust oversight and that people have sufficient control over how their own data are used. The new clauses I am proposing are an opportunity to apply corrective measures or, as is more likely, to start a debate on the topic with the Minister.
New clause 2 would create the requirement for specific and informed consent through the addition of the word “explicit” in the opening paragraph of schedule 2 to the Data Protection Act to ensure that users show that they know what they are signing up to when handing over personal data. As the law stands, any organisation can say that a person implied consent for the use of their data, purely because they do not currently have to be explicit. The EU data protection directive specifies that user consent must be
“freely given, specific and informed.”
The Data Protection Act merely uses the phrase
“has given his consent to the processing”,
which has led to the notion of “implied consent”, but that is a long way from
“'freely given, specific and informed.”
In countries such as Germany, consent is required to be explicit in writing, revocable, and not tied to terms and conditions. That is partly to do with Germany’s history and its relationship with state-controlled information about citizens. I like to think that we could learn from the Germans in this area of policy. An example would be behavioural advertising, when consent is said to be implied by the fact that people do not stop cookies being collected.
Another example that might allow members of the Committee to understand what I am trying to get at is when someone makes a purchase in a store for a large item— electrical goods, for instance. It is not uncommon for a store assistant to ask for a name and address, but when they take that personal information with “implied consent”, they fail to inform the person that they are going to stick their name and address on a database. In many cases, that can lead to unsolicited direct mail—direct marketing in general—and people being bombarded with marketing messages that they did not sign up to. The new clause would mean that retailers who collect and use a person’s information would have to make sure that they can demonstrate that the person gave explicit consent for their information to be used and stored on a database.
New clause 3 allows the Information Commissioner to inspect an organisation’s premises for evidence of breaches of privacy regulation. When the EU complained about the UK’s implementation of the directive, it said that the
“ICO can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks.”
That has the effect of significantly reducing the teeth of our information regulator. The commissioner must rely on the good will of organisations under his remit and the current situation gives organisations time to prepare for inspections in advance. At present, the ICO has power to issue an assessment notice and carry out compulsory audits, but they are limited to the public sector. Furthermore, there are serious limitations, including a lack of monetary penalties, when such audits find the organisation’s policy wanting.
Currently, organisations know that they cannot face spot checks and that it is unlikely that their wrongdoing will be uncovered or punished. The lack of power to inspect contributes to a lax regime and leads to an environment in which there are few incentives to obey data protection rules. The Information Commissioner himself has called for greater powers in that area, suggesting that the power to inspect would add bite to enforcement proceedings. It is the Committee’s duty to take the commissioner’s concerns seriously and try to address them; the new clause would allow the Committee a chance to do that today.
The ICO is right to call for greater powers. Other jurisdictions in Europe already give their data protection regulators powers of entry and their regimes are considered far more stringent than those of the UK. As a result, they suffer fewer data losses. In Spain, the Agencia Española de Protección de Datos has the power to inspect and audit without the consent of the data controller. When there is an infringement of data protection law by public sector organisations, fines are not imposed, but public warnings are issued that may lead to disciplinary proceedings against civil servants. In Ireland, the data protection authority has the power to enter any premises at any time without advance notice to look at personal data processed or information related to processing. The court can also order the deletion of a database, and current draft legislation proposes increasing the fine to €5,000 and a maximum of 10% of a company’s turnover. Those are stringent powers.
The data protection laws and policies in countries such as Spain and Ireland are less lax than those of the UK. In addition, the numbers of inspections and prosecutions are higher than in the UK and, as a result, those countries have fewer data losses. Examples of how different countries have dealt with breaches of data are best highlighted by the matter relating to Google Street View, which, as hon. Members will know, is a huge data collection exercise by Google to build useful maps. When doing that, however, Google also collected data about people’s wi-fi connections. Many ICOs initiated investigations across Europe about Google’s wi-fi data, but that did not take place in the UK. The ICO received information from Google, but had to request it. In fact, some organisations, such as Privacy International, had to intervene to stop the destruction of evidence on the advice of the ICO in the UK and elsewhere. Germany had powers to mount a more intrusive investigation to get to the bottom of the problem.
Citizens and consumers will remember examples of huge credit card losses over the past few years. TK Maxx lost more than 40 million credit card details in 2007, many of which belonged to UK residents. The ICO was unable to conduct an unannounced inspection, but had to request that TK Maxx give it access. When we see data losses on that scale, we really need the Information Commissioner to clean up some of the worst excesses. The new clause would do that.
New clause 4 would ensure that victims of data loss, or the inappropriate use of personal information, could recover damages if they have suffered distress or moral damage as a result. As the law stands, under the Data Protection Act that is possible only when distress is coupled with other tangible damage, such as financial loss. A further complaint from the EU regarding the UK’s transposition of the directive stated that
“the right to compensation for moral damage when personal information is used inappropriately is also restricted.”
The Government are currently looking at internet pornography. [Interruption.] Or they may not be. Or they may not want anyone else to. Sorry to make the obvious gag. When people’s personal viewing habits have been revealed to the world as a result of data losses, those people have suffered distress and embarrassment before even being found guilty of any copyright infringement. In one classic case, a legal firm called ACS:Law was hired to send out mass mailings threatening people who were believed to have breached copyright with legal action. Many of those people were innocent, but their private internet usage was displayed for the world to see. They had no ability to gain compensation, and many lost their job or saw their marriage break down. Illegal data loss had a big impact on their lives.
Others have been put at risk. A current example in the press relates to the PlayStation network. Millions of young people and teenagers who take part in online gaming have bought into online environments using their parents’ credit cards, and Sony has lost the information. That creates distress for the parents, many of whom have to cancel their credit cards and get their arrangements in order. It also causes difficulty for the children because there could be information about them. The new clause is therefore about people being able to put matters right if they have suffered distress as the result of data loss.
New clause 6 is an attempt to make UK law consistent with the wording of the data protection directive and to knock out some previous legal cases, one of which—the Durant case—will be known to the Minister. The directive defines personal data as
“information relating to an identified or identifiable…person”.
Identification is explained in the recitals as covering:
“all the means likely reasonably to be used either by the controller or by any other person to identify the said person.”
The UK takes a narrower view, which is less clear. That has been reinforced by widely criticised court decisions and, most importantly, by the Durant v. Financial Services Authorities case, which interpreted personal data on the basis of “relevance or proximity” to the data subject. The practical result is that many forms of what should be classed as personal data are not classed in that way in the UK.
A classic example, to give colleagues a practical understanding of what the new clause does, is the use of IP addresses. If someone does something on the net, their IP address is essentially their calling card; it can be used to identify them, but that is not currently covered by the judges’ interpretation of the directive, and the new clause is an attempt to ensure that it is covered.
Let me give a little background to the other two new clauses. How do we deal with privacy intrusion? The new clauses come on the back of the Information Commissioner’s 2006 report entitled “What price privacy?”. The report detailed the unlawful trade in personal information. Those buying such information included insurance firms, lenders, creditors, criminals intent on fraud and national newspapers. All the press, including all newspapers, were particularly avid buyers of such information, some of which was gained through blagging, some through illicit connections and some through phone hacking.
It was subsequently discovered that such intrusions into personal privacy, particularly by the press, were widespread and continuing, despite the investigation and report by the Information Commissioner.
The commissioner believed that the practice would not stop until the penalties for breaking the law were made more serious: when the most severe penalty was a fine of only a few thousand pounds, there was little incentive for the police to pursue cases and little to stop those who were determined to gather personal information. The commissioner therefore tried to increase the penalty for an offence under section 55 of the Data Protection Act to a fine or six months’ imprisonment for a summary conviction and a fine or up to two years’ imprisonment for a conviction. His aim was
“not to send more people to prison but to discourage all who might be tempted to engage in this unlawful trade, whether as buyers or suppliers.”
Although the commissioner’s changes were considered by the then Labour Government, they were scrapped after strong lobbying by senior press figures such as Paul Dacre in 2007 and 2008. There is a rather obvious political point to make, which is easier for me to say as a Back Bencher: Ministers in both the present and the previous Administration have let down British citizens who have had their privacy invaded, by acquiescing to the demands of editors and proprietors. That is unacceptable. We should listen to the Information Commissioner. The Freedom Bill is an opportunity to clamp down on the unlawful trade in data, and new clauses 10 and 11 would deal with that.
New clause 10 would ensure that the unlawful trade in personal information is investigated and reported on regularly. It is not a big demand. No organisation is tasked with investigating or reporting on the unlawful trade in personal information—not Ofcom, not the Press Complaints Commission, not the Information Commissioner’s Office and not the police. As a result, there is almost no oversight of an area where there is strong evidence to suggest widespread wrongdoing. The Information Commissioner’s Office has not only expertise in that area, but experience of reporting on it, most notably in “What price privacy?” and “What price privacy now?”.
There are examples of related problems. The PCC has so far conducted two investigations into phone hacking and is engaged on a third. The first two investigations found no evidence of unlawful privacy intrusion beyond the actions of one rogue reporter, Clive Goodman, but we now know that that is not true and the unlawful intrusion went considerably further. The PCC does not have the resources or the remit to investigate that unlawful trade within the press, and it certainly does not have the remit to investigate it beyond the press. That is why we need to oblige the Information Commissioner to do so.
New clause 11 would discourage those who might be tempted to engage in the unlawful trade in personal information, whether as buyers or suppliers. Section 55 of the Data Protection Act 1998 makes it an offence to obtain, disclose or “procure the disclosure” of confidential personal information “knowingly or recklessly”, without the consent of the organisation holding the data. Currently, convictions under section 55 attract a penalty of only a small fine or a conditional discharge.
The Information Commissioner, Christopher Graham, told the Home Affairs Committee on 26 April that he was concerned about a company that had been making a great deal of money selling customer information. All the participants had been making £70,000 a year from the trade. A separate example, outlined in “What price privacy now?”, is that of Anthony Clifford, who ran a private investigation agency, MRS, which engaged in sophisticated and systematic blagging. He pleaded guilty to 16 section 55 offences, but received a penalty only of 150 hours of unpaid work. In terms of sentencing guidelines, the court treated the offences as equivalent to a single incident of dangerous driving where there was little or no risk of personal injury. In either of those cases, if the same amount of money had been obtained through false accounting—assuming an amount of between £20,000 and £100,000—those convicted would have been looking at two years in prison. As it is, they can only be fined.
It is a sensitive matter, but I think there are still private investigators who are illegally obtaining data in industrial quantities, and there is no deterrence in law to their activities. I am attempting to persuade the Minister that we can stop that if the Government accept the new clauses. I understand the sensitivity of these issues so I will not push him hard, but I urge him to use his customary good judgment and I ask him, as I ask my Front-Bench colleagues, to take the provisions away for consideration.

John Robertson: I thank my hon. Friend for raising the subject of privacy, which is a very emotive subject in Parliament. I am sure the Government will take his proposals on board, although they will do so in the way that most politicians take things on board, which, sadly, is with one eye looking over their shoulder to see who is listening.
In supporting my hon. Friend, let me go back to what he said at the beginning. If the Minister does not accept the suggested changes, will he make clear what he proposes to do to find out how people are delving into ordinary peoples’ privacy and how the information that is obtained is seen? More important, will he have a word with the Home Secretary to find out exactly what is being done to bring those involved to book, even if some of them get only a fine?
I have spoken on a number of occasions in the House about the misuse of information. At the beginning of our proceedings, we discussed the introduction of identity cards. It was argued that information that could be obtained from an ID card could be misused by other people. I always quote the example, which my hon. Friend the Member for West Bromwich East mentioned, of people who buy goods in stores, but what we are talking about is even worse. Most people with cards that allow them to gain rewards are totally unaware of the information that can be gained from such a card. Other people can find out how many people live in the card owner’s house, whether they have any animals, what kind of food the people eat, whether they are vegetarians or whether they have special needs. It has always been important not to allow anybody to gain any information that could be passed on.
My hon. Friend is seeking to introduce some way of beefing up the system—that is what I wrote down on my bit of paper—to prevent people from venturing into deals where they do not really understand what will happen to the information they are being asked for. How many times have we all been asked for our names and addresses? If we ask what someone needs them for when we pay them some money, they always say, “Oh, it’s just for our records to make sure that everything’s okay.” They never say that they are taking the details to pass them to somebody else, who will annoy us and pester us. These people will find out where we live, and someone even knock on the door if they are in the area. How many times have we had phone calls from people who say they that are in the area and that they think we are interested in double-glazing or we have just bought a garage? That happens all the time, but we allow it to continue.
I might want my information to be passed to somebody else. I might want somebody to phone me up to give me a better deal on double-glazing or to sell me a new garage, and I might have requested somebody to come and give me an estimate, but the information will go to another company, and at no point in the procedure will anybody actually tell me, “I will be passing the information you are giving me to somebody else. Is that all right?” The answer, of course, would be no.
My hon. Friend mentioned that we should receive written explanations; my problem is that we have lots of written explanations. If people take out a credit card, they get a leaflet giving the rules governing the credit card, and if they buy other things, it is the same. I would need new glasses to be able to read the print in some of those leaflets—I have never seen such small print in all my life—but if it was put in a normal font size, the information would almost be book size.
We have to simplify such things, which is where the Government come in. The duty of the Government is to ensure that people are protected. People should understand exactly what they sign on to and know, before anything happens, that there is likely to be a phone call or a follow-up. They must have that information. The Information Commissioner may not be happy, as my hon. Friend says—[Interruption.] He seems to be unwell: either I am upsetting him or he just has a cough.
I say to the Government that not everything in Europe is bad. In many ways, people in Europe seem to have some of this down better than we have. I suggest that Ministers should look at why they are attacking our way of running things. Damages for victims strike me as an excellent way forward, but although victims can get damages, the damages never really fit the crime.
I read about one newspaper that attacked another, as they invariably do when they have no stories to run. It complained that the paper had not looked at the information it had been given on someone, but had just printed it. It printed that information because the person was then at the front of the news and the story added 20,000 copies to its circulation. That increase lasted for a while, before tailing off to where it had been before the paper told the story. The insinuation, which I have heard elsewhere, is that when a newspaper receives information it works out roughly how many extra copies it can sell and whether, if it receives a £100,000 fine, it will be worth while to sell those extra copies, given that it will also receive extra revenue from advertising as its circulation increases.

Jenny Chapman: The Bill clamps down hard on councils that might want to tackle such matters—for example, in relation to bogus school applications, which I realise is controversial—but we seem to be leaving other people completely unprotected from companies that are seeking only to make a profit.

John Robertson: My hon. Friend makes a very good point, which I was about to come on to. The fact is that the people who receive justice are usually those who have money anyway. Ordinary people are dragged through the newspapers through no fault of their own. They may be innocent bystanders who just happen to be in the wrong place at the wrong time—for example, if they live next door to where a crime happens, it is automatically inferred that they committed it.
Newspapers run over there and start throwing about the names of people who have been interviewed by the police. Depending on how it is said, “Helping the police with their inquiries” means two entirely different things. Put one way, the ordinary member of the public reading a newspaper will think, “He did it—I knew it was him.” Two or more weeks later, however, we find out that that person is totally innocent, yet that person has no recourse, because they are poor and do not have the nice lawyers to help them get the justice that they deserve. Even if they go down that road and get justice, in fact newspapers will already have made their money by increasing their circulation. I find that absolutely intolerable.
The Minister should be looking at damages for people and how to help them get recourse. It will mean beefing up the Data Protection Act, as well as the Bill. Hopefully, those in the other place, who are much more knowledgeable about such matters than I am, will take on board much of what has been said on this side of the Committee and take it forward.
I have written in my notes that “Penalty is not enough; the question is, ‘what is the penalty?’” My hon. Friend the Member for West Bromwich East said that the penalties are weak, and he is absolutely right. If the penalties were strong enough and there was a threat that a newspaper could even be closed down for deliberately putting lies in the public domain and ruining someone’s life, it might not mean a lot to the 60 million people in the United Kingdom, but it would mean an awful lot to the one person whose life had been ruined. That person needs to be protected, and it is the Government’s place to do that. I assure them that if they put damages for ordinary people and penalties in the Bill, I would be the first person to stand up and say that I supported them for doing that. I hope they have the guts to do it.
However—I go back to where I started my input to the debate—fear of reprisal from the media and newspapers will be too much for the Government. Sadly, when in government, my party did not have the guts to do anything, so we will be stuck with roughly the same system as we have now. However, that is not to say that it is not for people such as my hon. Friend the Member for West Bromwich, or East Bromwich—

Tom Watson: West Bromwich East.

John Robertson: As the hon. Member who represents Glasgow North West, I can say how great it used to be when we had constituency names. Now that we have areas, they do not seem to have the same flamboyancy.
Will the Minister stand up and say that my hon. Friend is absolutely right? He will not do that, but I want him to explain why he will not look into the privacy matter, protect ordinary people from such intrusions and ensure that they receive damages from those who perpetrate them.

Clive Efford: My hon. Friend the Member for West Bromwich East said that the new clauses were probing, but he is doing us all a great service by tabling them and giving the Committee the opportunity to discuss them. Such issues certainly come under the remit of a Protection of Freedoms Bill. Even if we do not bring in new clauses at a later stage of our proceedings to cover them, I suspect that over the next few years, a Government—whatever their persuasion—will introduce something to deal with the protection of information and the privacy of individuals.
We have only to look at the media or read daily newspapers to see that there is a major issue. At the moment, we are aware of media organisations that have intruded on the privacy of individuals. It seems to be the preserve of the super-rich to take out super-injunctions to protect their privacy but, as my hon. Friend said, the protection and handling of information covers a wide range of information that confronts us on a daily basis. It can range from, as he highlighted, an innocent request for people’s names and addresses when they purchase an item. It is considered that they are giving implied consent for their information to be used for subsequent purposes, of which they will not be aware. How people are informed about the use of information that is passed on in the future will need to be addressed. We have a wide range of legislation on data protection and freedom of information that particularly covers public bodies, but information in the private sector is traded and in some respects that is not welcome. We have seen that written large in some of the big issues reported recently. Whoever is in government will be drawn into addressing that issue.
We had a debate about judicial creep, where there is no regulation at the moment. People do not know what they should be doing to control information. In effect, super-injunctions and decisions in court are legislating; even the Prime Minister has commented and expressed concern. I am sure we all share that concern. As legislators and parliamentarians, we cannot desert the field. The public expect a framework that they can understand, and they expect public bodies and private organisations to abide by it. The Government will need to address the issue in future, if not under this Bill.

Jenny Chapman: I am quite alarmed to hear some of the things my hon. Friend is saying about people having their personal information used or misused by organisations, without their consent. But is he aware that at the other end of the spectrum, there are individuals about whom we would like to gain more information and at the moment, as the law stands, we are unable to do so? I am thinking about registered sex offenders who are currently under no obligation to provide authorities with their IP address. That needs to be looked at.

Clive Efford: My hon. Friend is right. She raises an important point. How information is used and stored, and prevented from being made available to people who need it would be of great concern to the public. It is essential that information relating to the circumstances that she highlighted can be accessed. In his amendments, my hon. Friend the Member for West Bromwich East highlights the wide range of areas in the management and handling of information where regulation needs to be tightened. The structure for managing the handling of that information needs to be made clearer. At the moment, decisions in courts seem to be determined by the ability of someone to actually get to court, which cannot be right, because it means that people who cannot afford to pursue their cases down that avenue may suffer injustice. It is our duty here to make sure that everybody is treated equally. It is not right that only those who can afford expensive barristers have their privacy, or the information held on them, protected.
We are also seeing an explosion in internet and other forms of information exchange, so the demand for Government to react and ensure that people’s privacy and personal details are handled properly will become even more imperative. It goes back to the point that I made earlier: events and progress often force Government’s hand and they have to legislate and regulate. This is one of those cases.
My hon. Friend the Member for West Bromwich East tabled new clause 5, which is about the privacy commissioner.

Gary Streeter: Order. It may help the hon. Gentleman if I point out that we are dealing with new clause 5 later.

Clive Efford: I beg your pardon, Mr Streeter. I thought it was part of this group, but it stands alone. I will speak to it later.
My hon. Friend highlighted the problem of the power of the press and some of its excesses. We need to strike a balance. We do not want to clip the wings of the press and restrict its freedom. A free press is a central part of a democracy, but at the same time, we have seen some excesses in the media, whereby that freedom and that right have been abused. Sadly, self-regulation has at times been left wanting.
Trying to regulate the media formally is a fraught area. Self-regulation is preferable, but the Press Complaints Commission has been found wanting in many respects. Unless it improves its performance and shows more independent-mindedness in the way it determines decisions about the press, the clamour for some sort of formal, legislative regulation will only increase. My hon. Friend raised some important points about how that has become a problem that needs to be addressed.
My hon. Friend talked about sanctions. It is clear from recent cases that the sanctions against those who abuse people’s privacy do not in any way match the gains that people can make from the sums of money involved in trading information. Moreover, the sanctions do not reflect the level of distress to individuals whose information has been made public under the pretence or pretext that it is somehow of public interest. That takes us back to self-regulation and the PCC, which has been found wanting in that regard. My hon. Friend is right to ask how we should regulate this area in the future and to point out that sanctions should reflect the scale of the intrusion committed.
Another issue is accountability and how the information is dealt with. At the moment, it is not clear who people are accountable to, who the public can go to for redress, or what their rights are when dealing with a situation in which they feel that information about them has been used in an improper way. That takes us back to an earlier point; people need to be far better informed about these things in the future. Through his new clauses, my hon. Friend has raised an important point by highlighting the fact that people are often ignorant of their rights and of what they may be opening themselves up to when they tick certain boxes on websites, fill in forms when they buy goods, or enter into certain agreements.
We will have to return in the future to the issue of making available to the public some form of information and a clear point of contact to address their complaints. I also think that the Government will be forced in the future—whether by this Bill or otherwise—to address the sort of issues raised by my hon. Friend’s new clauses. We should be grateful to him for the determination that he has shown in this area by raising the issues on our behalf whenever he has the opportunity. He does an exemplary job as a parliamentarian. He has brought to the attention of the Government a number of areas where there is great public concern about issues that the Government will need to address in the future. I will be interested to hear the Minister’s response.

James Brokenshire: I thank the hon. Member for West Bromwich East for the way he supported his new clauses. I know that he has followed the issue closely for several years and that the clauses are not meant to make any partisan or party political point. The new clauses are technical in nature. I note that he has received the Clerks’ support in tabling them, but the issue is essentially technical. I will try to respond to many of the points that he highlighted in the context of the new clauses. He rightly identified two themes emerging from this group. I recognise the points that the hon. Gentleman highlighted; they are informative in feeding into the broader debate on the Data Protection Act and other points.
It was interesting to hear the comments of the hon. Member for Eltham, who strayed slightly outside the group of amendments and highlighted broader issues that involve the Data Protection Act, super-injunctions and privacy. The Government recognise the importance of finding the correct balance between the individual right to privacy and the right to freedom of expression and the transparency of official information. Before I turn to the new clauses’ provisions on the Data Protection Act, it is worth mentioning to the hon. Gentleman that the Master of the Rolls’s committee, which has been examining the use of super-injunctions and other issues relating to injunctions binding the press, is due to report shortly, and the Government will be considering its report closely and carefully.
The hon. Member for West Bromwich East and his colleague, the hon. Member for Glasgow North West, highlighted the issue of unwanted material or information. There is a separate regime under the Privacy and Electronic Communications Regulations 2003 for signing up for mail preference services. Similar services operate for e-mail and telephone, allowing people to opt out of receiving unwanted information.
As the hon. Member for West Bromwich East said, the group of new clauses relates to the rights of data subjects and relevant definitions as set out in the Data Protection Act 1998, as well as the enforcement of the Act by the Information Commissioner and penalties for unlawfully obtaining personal information. Members may not be aware that the Government, through the Ministry of Justice, recently issued a call for evidence to gather views about how well the current framework of data protection law in the UK works and how it might be improved, in preparation for forthcoming EU negotiations on a new European data protection instrument that are scheduled to begin later this year. Some of the hon. Gentleman’s comments have been helpful in starting that debate and adding to some of the points highlighted to colleagues in the Ministry of Justice.
As part of that process, the Government are considering all aspects of the Data Protection Act, including its definitions, the conditions for processing personal data, the Information Commissioner’s enforcement powers and the rights of redress for data subjects. The new clauses seek to address those issues. The Government are determined that any changes to the existing data protection framework will be based on robust analysis of the evidence, and they will ensure that any costs of increased data protection safeguards are proportionate to the benefits. That will strike the right balance—a subject at the core of a number of our debates on the Bill.
I hope that the hon. Gentleman understands that although I will not be able to accept the new clauses in Committee—I have noted the probing nature of some of them—there is a continuing exercise with regard to the new instrument from the Commission. I am sure that will trigger further consideration of the data protection provisions, and the information and evidence that has been provided through the call for evidence has already informed the process.

Tom Watson: The Minister might not be able to answer this question now, as the decision might not have been made, but does he envisage new legislation on the back of the EU negotiations, or revised regulations?

James Brokenshire: I genuinely cannot address that point straight on because there will be negotiations, which we expect to commence later this year, in the context of whatever new instrument comes from the Commission shortly. I might be able to project and envisage certain things, but I would be looking at a crystal ball if I tried to second-guess what the instrument might look like. That response is probably not helpful in this context, but I hope that what I have said will at least assure the hon. Gentleman that the issues are being considered broadly, in the context of that instrument, which itself will prompt negotiation and further detailed debate, discussion and examination. Nevertheless, it might help if when responding to the various new clauses, I highlight where certain of the hon. Gentleman’s concerns might not be rejected fully, or where they might have already been addressed in other ways.
New clause 2 seeks to impose the higher standard of consent, currently reserved under the EU data protection directive for sensitive personal data, on data controllers processing non-sensitive personal data. In practical terms, it would impose a more burdensome requirement on UK data controllers than we believe the EU has, to date, found appropriate. The processing of personal data, from everyday transactions to social networking, is vital to deliver the services that consumers want and often take for granted, but the provision might have the effect of obliging businesses to obtain explicit and specific consent from every data subject when consent is required, each time a new or subsequent form of processing takes place. That would result in citizens being inundated with formal consent requests for even the most mundane activities, such as using a store loyalty card or sending an e-mail to a colleague. The Government believe that the higher consent requirement should be reserved for situations that require it and that it should not be made a standardised and disproportionately burdensome obligation. Those issues will clearly remain live in the context of the evidence that the Government have received and the possible further proposals from the Commission.
New clause 3 seeks to introduce a new wide-reaching power of entry and inspection to enable the Information Commissioner to audit a data controller’s compliance with the requirements of the Data Protection Act. The hon. Gentleman might be aware that, under schedule 9 of that Act, the Information Commissioner may apply for a warrant to enter and inspect premises when there are reasonable grounds for suspecting that a data controller has contravened any of the data protection principles, and that may be done without notice to the occupier, if a judge is satisfied that the case is urgent or if giving notice would defeat the object of the entry. Conversely, the power proposed in the new clause would not require a warrant and would amount to greater powers of entry than those potentially available to the police when investigating criminal offences. It is also worth noting that in most cases, data controllers co-operate fully with the Information Commissioner and provide him with the information that he requests in order to resolve the case. When they do not, the commissioner already has a number of coercive investigative powers.
New section 41A of the Data Protection Act was inserted by the Coroners and Justice Act 2009. It came into force in April 2010 and gives the Information commissioner new powers of investigation. The commissioner may serve an assessment notice on data controllers in Departments, or on those who fall within any other category designated in secondary legislation. Among other things, such a notice may require the data controller to allow the commissioner to enter its premises to inspect documents and to assist the commissioner with his investigation. There has been some more recent strengthening of the powers of the Information Commissioner in that regard, but as I have said, the matter remains under the broad review to which I have already drawn attention.
The amendment to the Data Protection Act that new clause 4 proposes seeks to introduce greater scope for individuals to claim compensation when distress without damage has been suffered as a result of a breach of the Act. As it stands, the Data Protection Act provides for individuals to seek compensation for distress only when it accompanies other damages or when it arises from processing one of the “special purposes”, which are art, journalism and literature. The Government recognise the importance of redress mechanisms in cases where data protection principles are breached. However, we believe that the current approach is proportionate and fair to both individuals and data controllers. As I have said, specific provisions apply under section 13 of the Data Protection Act, and compensation for distress without damage can be claimed when the contravention relates to the processing of personal data for the “special purposes”, so provisions govern that area. The benefit for individuals of the change in the new clause does not justify the potential implications, particularly those that apply to very minor breaches that cause no other actual damage and affect large numbers of people.
New clause 6 seeks to amend the wording of the definition of personal data so that it
“shall not be taken to mean that the information must be biographical in nature, compromise the privacy of the data subject or have the data subject as its principal focus.”
The definition of personal data is an important element of the Data Protection Act, because it determines the scope of the Act. Hon. Members may be aware that the proposed definition in the new clause is taken from the court case of Durant v. Financial Services Authority in 2003. Perhaps some of the concerns arose, in part, following the Durant case. In the House of Lords case, the Common Services Agency v. Scottish Information Commissioner in 2008, Lord Hope stated that it was in the context of the particular facts in Durant that the notions of biographical significance and focus might be of assistance, and not more broadly. In other words, the subsequent case of the CSA v. Scottish Information Commissioner sought to narrow the potential application of the Durant judgment to its specific facts and circumstances.
We are confident that the definition in the Data Protection Act already effectively implements the definition in the directive. Because of that and because of the lack of any practical benefit that we can identify, the Government do not consider the amendment either necessary or desirable.
On new clauses 10 and 11, we are certainly cognisant of the harmful consequences of the illegal disclosure and procurement of personal data and the need to ensure that criminals are effectively deterred from unlawfully misusing personal data. Section 55 of the Data Protection Act, which the hon. Member for West Bromwich East has rightly referred to, makes it a criminal offence to obtain or disclose unlawfully personal data without the consent of the data controller. It is equally an offence when there is a commercial aspect to the procurement or disclosure of personal data, where there has been some sort of “trade” in that data and in those situations where no money changes hands.
It might help the Committee if I were to give an example. The existing offence covers situations where an employee of a company is paid by a criminal gang to secure the personal data of the company’s customers. The gang might then use that information to commit identity theft. It goes without saying that the Government are serious about tackling that sort of crime. However, we are not convinced of the need to oblige the Information Commissioner to report to Parliament each year on this issue. The Information Commissioner is already obliged to lay his annual report before Parliament each year and that report already contains details of the commissioner’s enforcement activities, including section 55 prosecutions.
In addition, the commissioner can already lay a special report before Parliament on any specific topic or issue that he considers it necessary to report on. It was under that provision that the previous Information Commissioner presented two reports on the illegal trade in personal data in 2006, which the hon. Gentleman has referred to. That is not to say that on issues such as fraud, which a number of these matters relate to, that further work is not required. I believe that further work is required and the Home Office has recently taken lead Department responsibility for fraud. Therefore we are examining the issues of fraud in co-operation with the National Fraud Authority and we are looking at ways in which work on fraud—whether that is identity fraud or more general fraud—can be enhanced. I am well aware of the way that stolen data can be used to perpetrate frauds, quite often online. Reference has been made to stolen data in a number of cases. We will examine how we can better respond to fraud in a very practical way, to ensure that fraud is given the important status that it deserves because of the huge implications it can have for so many people.
I turn now to sentencing. As I have said, the Government are considering all aspects of the Data Protection Act, including enforcement. It is worth noting that more serious data protection offences can already be committed to the Crown court, which is able to impose an unlimited fine under existing legislation, depending on the severity of the offence. I fully acknowledge that the illegal trade in personal data can cause individuals serious harm.
We believe that there are effective measures to deter would-be criminals from committing these offences, but we will keep this issue under examination as part of the broader review that I have mentioned. For example, there are other ways in which it might be addressed. It is possible that gains made through the unlawful obtaining of personal data could be confiscated under the Proceeds of Crime Act 2002. The court is also able, where appropriate, to impose a compensation order, requiring a defendant to pay compensation for any loss or damage resulting from the offences committed by him or her. Apart from fines, there are other means by which some form of redress can be brought about. The way that unlawful assets and the proceeds of crime are properly tracked is a significant issue in its own right, which deserves further work.
The hon. Gentleman has highlighted a number of important points. As I hope he recognises, the Government are looking at this issue carefully. We are examining the evidence that exists to see what will make a difference and what is proportionate. There will be further consideration in the context of the new measures that the European Commission will be publishing. I am sure that my colleagues in the Ministry of Justice will be engaged in detailed negotiations on that issue.
I genuinely thank the hon. Member for West Bromwich East for tabling these new clauses and for putting on record his own concerns and indeed the concerns of others outside the House. I am absolutely sure that this will remain a very important and very live debate in the coming months. He has done good service to this Committee and more generally by tabling these new clauses.

Tom Watson: That was the most kindly rejection and glorious technical demolition of my new clauses. How can I resist the Minister’s request to withdraw them?
I have several points to make. First, I would be grateful if the Minister brought the concerns raised during this debate to his colleagues in the MOJ as they proceed with the EU review. Secondly, I thank him for keeping an open mind about section 55. I suspect that we will have to revisit it at some point. Thirdly, I am extremely grateful for his staggeringly helpful interpretation of the Proceeds of Crime Act 2002, which I think will have a wider deployment in pending cases in years to come. I beg to ask leave to withdraw the motion.

Clause, by leave, withdrawn.

New Clause 5

‘(1) The Secretary of State shall appoint a Commissioner to be known as the Privacy Commissioner (referred to in this section as “the Commissioner”).
(2) It shall be the duty to the Commissioner to promote respect for individual privacy and data protection.
(3) The Commissioner shall have all the duties and functions set out in—
(a) section 51 of the Data Protection Act 1998 (Data Protection Commissioner),
(b) section 57 of the Regulation of Investigatory Powers Act 2000 (Interception of Communications Commissioner),
(c) section 91 of the Police Act 1997 and section 62 of the Regulation of Investigatory Powers Act 2000 (Chief Surveillance Commissioner),
(d) section 20 of this Act (Commissioner for the Retention and Use of Biometric Material), and
(e) section 34 of this Act (Surveillance Camera Commissioner).
(4) The Commissioner shall have all the powers which attach to the offices set out in subsection (3).
(5) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about any matter within the scope of his functions under this Act, and may give advice to any person as to any of those matters.
(6) Any reference in any enactment, instrument or other document to a person carrying out the duties and functions set out in subsection (3) shall be construed, in relation to any time after the commencement of this section, as a reference to the Commissioner.
(7) Any appointment made to any of the offices set out in subsection (3) is hereby terminated.’.—(Mr Watson.)

Brought up, and read the First time.

Tom Watson: I beg to move, That the clause be read a Second time.
If I could play a joker card during the passage of the Bill and force through one new clause, this would be it. I suspect that I do not have the persuasive powers to achieve that, but I will give it a go.
I view the clause as helping to kick-start the debate about how Parliament deals with emerging notions of privacy in the age of the internet. It is a probing clause to explore the possibility of creating a single privacy commission to regulate all data protection and privacy issues in the UK. Here is my pitch to both Front Benches. Notions of privacy are changing. We live in the age of information abundance. Newspaper editors can no longer enforce scarcity of information by spiking stories that they do not like, thank the Lord.
Our children are leaving a digital footprint that will exist for eternity. In the decades to come, that will profoundly change how we think about the personal and the public. Thank the Lord, again, that Facebook did not exist when I was a teenager. If it had, I suspect that the editor of News of the World would have ensured that I would not be moving this clause. The truth is that we do not know the social impact of that collective public display of teenage angst. Personally, I have a hunch that it will make us a more tolerant and relaxed society out of necessity, but it might not.
In public policy terms, that means that Members elected last year in particular will have to deal with the tensions created by new and changing notions of privacy, probably for the rest of their parliamentary careers. That is emerging in current debates, in this Committee and outside it, examining the idea of super-injunctions and the internet. Phone hacking—dare I say it again?—essentially involved an industry that thought that new laws cast to enshrine privacy did not apply to it.
I do not have all the answers, but I am deeply concerned that Parliament is not even asking the right questions in this area of policy. New clause 5 is an attempt to address some of the issues that we must deal with. It is formed from a view that sits with the dilemma that the Prime Minister has discussed in recent weeks. We do not want judges deciding what is and is not private, but neither do we want politicians deciding.
By wrapping up all the different commissioners with an interest in privacy matters, we would create a single go-to organisation that could deal with the inevitable tensions in public policy that will arise for many decades to come. A regulator with a clearly defined public role can do what judges and politicians find it hard to do: apply a reasonableness test to privacy disputes and back them up with evidence and research.
I am aware that more detailed work is necessary to set out the powers of such a commission. However, in my view, the Bill provides the right framework for establishing it. The clause is supported by Action on Rights for Children, Privacy International, GeneWatch UK and the Open Rights Group. For declaratory purposes I should say that I am an occasional member of the advisory board of the ORG, not without remuneration.
The Bill proposes the establishment of two new commissioners for biometrics and CCTV. That will expand the number of commissioners responsible for privacy and surveillance from three to five, but it will not necessarily lead to greater protection for the public. It may even fracture the protections that already exist. The only way of providing meaningful oversight of freedom and privacy is to bring all those commissioners into a single privacy commission. That would have many benefits: the current gaps in coverage would be closed, members of the public would understand to whom they should address their questions and complaints, it would potentially save a considerable amount of public money and it would provide a more future-proof structure, within which future legislation could be naturally located. When there is a multiplication of commissioners, it confuses the essential relationship of all those disparate issues, which all of us, if we remain in Parliament, will be dealing with.
As things stand, the Information Commissioner is responsible for promoting and enforcing compliance with the Data Protection Act. His functions relate to the processing of personal data, which includes CCTV and biometric information, and data obtained via surveillance, interception or covert means. Although that is potentially a broad remit, in practice the Information Commissioner has made it clear that he does not feel able to act in situations that may be covered by another statutory body outside the Data Protection Act. For example, in his response to the 2009 Home Office consultation, ‘Protecting the public in a changing communications environment’, he said:
“The first data protection principle states that processing of personal information must be fair and lawful. Any processing of personal information which has been obtained in contravention of the provisions of section 1(1) of RIPA would also be in breach of the first principle. Understandably organisations approach the ICO for advice. However, it is inappropriate and arguably beyond his powers for the Information Commissioner to advise on the lawfulness of interceptions of communications under RIPA. He does not have particular expertise in this area. An organisation could follow the advice of the Information Commissioner but still be liable for prosecution if the prosecuting authority for RIPA takes a different view.”
The Minister probably knows where I am going with some of this.
The interception of communications commissioner was created by section 57 of the Regulation of Investigatory Powers Act 2000. His role is limited to the oversight of those who issue warrants and the procedures of those acting under warrants. He has no power to investigate complaints or to advise the public, and no duty to provide advice to organisations that may fall outside the remit of RIPA. That creates a gap in regulatory control of the interception of communications, mainly in the private sector.
The chief surveillance commissioner has similarly limited powers. His function is to keep under review the operation of the powers and duties of directed and covert surveillance under RIPA. Although he may quash the authorisation of covert surveillance, in practice that rarely happens. There is considerable lack of transparency regarding the functions of the surveillance commissioners.
Currently it is proposed that the surveillance camera commissioner will be responsible for advising on a code of practice to be drawn up by the Home Secretary—I will not rehearse the argument—encouraging compliance with the code and reviewing its operation. The role does not carry any regulatory or enforcement function and the application of the code is in any case limited in scope. In practice, it will apply to local authorities and policing bodies in England and Wales.
The Information Commissioner already has a code of practice covering the whole UK, including the public and private sectors. However, he has never used his enforcement powers. Given his evidence to the Home Office consultation I mentioned earlier, and some of our discussions, it is likely that regulation will be surrendered to the new SCC commissioner, although the Minister will tell me if I am wrong.
The biometrics commissioner’s role is limited to reviewing national security determinations. He will review any determination made under existing terrorism legislation or under clause 9 of the Bill. He may order the destruction of biometric material if it cannot lawfully be retained. His title is significantly broader than his actual remit, as he has no function in relation to any other retention of biometric material.
It can be seen from the list I have just read out that there is already a confusion of powers, which may get worse if the Minister is not convinced by the power of my argument. Although those areas of responsibility not specifically assigned to a particular commissioner default to the ambit of the Information Commissioner, it is leading in practice to significant gaps in coverage, which the creation of yet more commissioners can only aggravate. Even for those with in-depth knowledge of each commissioner’s remit, the situation is confusing. For members of the public without any such knowledge, it is almost impossible to know where to direct complaints or seek advice.
The creation of a single commission taking in all the functions I have mentioned would ensure that lacunae are identified and that the public are provided with the comprehensive protection they are entitled to expect. Greater clarity of role and function would make it easy for people to find advice and to make complaints. Such an opportunity to seek redress is increasingly important as access to legal aid, and hence the courts, becomes more restricted.
Precedents already exist for creating a single commission. The Equality Act 2006 created the Equality and Human Rights Commission, which brought together the Commission for Racial Equality, the Equal Opportunities Commission and the Disability Rights Commission. In April 2006, the Tribunals Service was created by merging some 70 different tribunals into a single service. At the beginning of April this year, it was further merged with the Courts Service to create a single integrated agency—Her Majesty’s Courts and Tribunals Service.
The rationale for those changes was to simplify procedures, make it easier for members of the public to find help and redress, avoid gaps in coverage and create bodies that actively promote public understanding of people’s rights. The logic of that approach also applies in this case. The reasons for creating the Equality and Human Rights Commission and the Tribunals Service are exactly the same as those that I am outlining for the creation of a privacy commission. I am convinced that the time has come for the same approach to be taken to information privacy and data protection rights.
On the point about the public purse, I am afraid that I am not a Treasury Minister, but at a time of huge cuts in public spending, it is hard to justify the fixed costs of running five separate offices, as well as all the other associated costs. The budget for the interception of communications commissioner is £1.7 million. Although I have not yet been able to find figures for the office of the chief surveillance commissioner, it is reasonable to assume that the budget is the same or larger, and there is no reason to suppose that the cost of the new commissioners will not be similar.
By contrast, the data protection functions of the Information Commissioner are met entirely from fees, which generated £13 million per annum the last time I checked. Taking all the commissioners into a single privacy commission would combine the office and administrative budgets, and the current income of the Information Commissioner would be made available. That would undoubtedly reduce the costs to the public and maintain value as we expand the current regulatory system.
On my point about future-proofing, the Bill has become necessary because existing powers are inadequate to deal with developments in new technologies. It is attempting to deal with a situation in which civil liberties have already been compromised and problems have become entrenched. I must say to the Minister that other new technologies coming down the line will offer similar challenges to policy makers in the future: the development of radio frequency identify devices, mobile location technology and other potentially invasive technologies that can be bought on the internet on a shoe string. If the response to each new threat to privacy is to create yet more commissioners with partial powers, we will end up with a vast array of commissioners, none of whom will have sufficient oversight to provide meaningful regulation, with each dissipating public protection still further.
The Committee has to think in terms of a structure that is sufficiently flexible to encompass all future threats to privacy, as well as those already identified in the Bill. A privacy commissioner would be able to respond to privacy challenges as soon as they became apparent, and deal with them before they caused serious infringements of civil liberties and data protection laws. If we had had a privacy commissioner in the late 1990s, the heir to the throne would not have had his phone hacked in 2005.
The creation of a privacy commission would also ensure that we comply with future EU data protection directives, which were outlined by the Minister. Most EU countries already have a single commission to deal with data protection and information privacy, and the emphasis in the EU is increasingly on greater coherence in data protection requirements, as the outlined by the Minister in his brilliant rejection of my previous technical clauses.
I am aware that I have not touched on the use of the Freedom of Information Act 2000, but in essence I am saying to the Minister that my proposal is a common sense simplification of the current system. I am pretty certain that he will not be able to tell me that it is a brilliant idea and that he will rewrite the Bill, notwithstanding the geniuses who work for him on the Bill team, but I hope that he will at least take the idea away, and that my Front Bench colleagues will too. Perhaps, if the Minister has an opportunity in the future, he will realise that we have to rationalise the regulation of privacy matters in the UK, and that this is, perhaps, one way that we can start.

John Robertson: Once again, I congratulate my hon. Friend on his important contribution. Many years ago, I was on the Bill Committee of what became the Communications Act 2003. I will not say an awful lot in my contribution, but I remember that I said then part of what I am about to say now about where we were going and how we should look at the future. When I left school, I became an apprentice telephone engineer and was then involved in the communications industry for 21 years. In my 10 years as an MP, I have been the chair of the all-party parliamentary communications group and have always felt strongly about the issue. If there is one thing I know, it is that communications have changed over the years. Even in my 10 years as an MP, things are completely different today from what they were 20 years ago.
Bills have always been scrutinised in relation to what happened in the past. We change the law to try and change something that was wrong, but sometimes we need to look at the future and try to anticipate change. We cannot bring in a Bill that says, “This will happen in five years’ time;” we cannot even bring in a Bill that says, “This will happen in five minutes’ time”, but we have to consider ways to change and to adapt to what is happening today.
My question to the Minister is: what is privacy? What was privacy 10 years ago, and what will privacy be in 10 years’ time? He might be able to answer two of those questions, but he will not be able to answer the third. Why are we asking five people to look at those sorts of things? If we put five people in charge of ministries where each crosses over to the other, there is a problem. We see that in the day to day running of Parliament, where Ministers will not talk to each other; one puts forward a solution for something and another suggests a similar solution for something else. At the end of the day, there has to be somebody to tie things up. The Minister might say that the Prime Minister is that person. Well, if he is, I hope he does a better job than he has been doing.
The communications industry is changing and that has an effect on people’s privacy. We do not have a privacy law, although there probably should be one. We now have social networking, which is, to all intents and purposes, the way forward and which will be developed as the years go by.
My hon. Friend the Member for West Bromwich East has talked about pornography and how parents are worried about such things. There has to be somebody who can pull all the bodies together. My hon. Friend suggested a commissioner. He has done all the technical bits and I believe that that will be the way forward in the future, whether the Government agree to what he says or not. They have to ask what will happen over the next five years and whether the Bill can cover it. I do not think it can. It needs to be amended so that we have to revisit certain aspects of privacy and communications in order to adapt and make sure that people in this country are protected.

Clive Efford: My hon. Friend the Member for West Bromwich East again deserves congratulations. He said that the new clause was a probing amendment, but during his substantial contribution he highlighted some of the areas that will need to be addressed in the future. Issues have been raised about the co-ordination of the five commissioners and all the different pieces of regulation. He highlighted eloquently some of the dangers that lie ahead. Again—I made this point in my previous contribution—the issue transcends politics and whoever is in power will have to address it. New technology on the horizon, and which may already be in use, will present even more challenges for regulators who protect the public. That makes it imperative that we have these debates, and my hon. Friend has set out that case.
We are not yet convinced that there is a case for a single commissioner to encompass all the powers of the three existing commissioners and the two created by the Bill to cover the Data Protection Act and the Regulation of Investigatory Powers Act 2000. My hon. Friend has, however, highlighted some areas to which future consideration must be given in order to ensure that we do not see some of the problems that he outlined.
I have some questions before I sit down, or am forced to sit down. Do the Government accept that there are gaps in regulation and oversight, as my hon. Friend has set out, in relation to the commissioners and the current regulatory regime? Does the Minister accept that having so many different areas of responsibility in the governing and collecting of information and surveillance may cause confusion? The potential confusion of the public may cause problems for people seeking redress in the future or understanding what their rights are. Is it likely that the Government will be forced to regulate in the future, and have they given that any consideration?
My hon. Friend also raised the issue of complaints. How will people know where to go? Who do they go to in order to seek redress and make complaints? Will that be made clear to them? The time is fast approaching for you to force me to sit down, Mr Streeter, so I conclude my comments.

Gary Streeter: Brilliant timing.

The Chairman adjourned the Committee without Question put (Standing Order No. 88).

Adjourned till this day at Four o’clock.